Re: CA and smart card logon kerberos error

From: Tim Springston [MSFT] (tspring_at_online.microsoft.com)
Date: 07/15/04

  • Next message: Tim Springston [MSFT]: "Re: Anonymous logins"
    Date: Thu, 15 Jul 2004 13:42:34 -0500
    
    

    Hi Lars, Francesco-

    The error maps to the information below in the Troubleshooting Kerberos
    whitepaper. That whitepaper can be downloaded from
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en
    0x10 - KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
    Associated internal windows error codes
              STATUS_UNSUPPORTED_PREAUTH

              STATUS_NOT_SUPPORTED

    Corresponding debug output messages
              D_DebugLog("KLIN(%x) No pre-auth data in TGS request - not
    allowed.\n")

    Possible Cause and Resolution:
              Smart card logon is being attempted and the proper certificate
    cannot be located. This can happen because the wrong certificate authority
    (CA) is being queried or the proper CA cannot be contacted.

           Resolution

    1. Verify that there is a functioning CA on the domain.

    2. Verify that the client can locate the CA.

    Please reply if you hance followup questions or concerns.

    -- 
    Tim Springston
    Microsoft Corporation
    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Lars Olaussen" <Isolauss@hotmail.com> wrote in message
    news:O4VSAoMaEHA.2816@TK2MSFTNGP11.phx.gbl...
    > "Francesco B." <francesco.bragantini@phoenix-systems.it> wrote ...
    >
    > > I setup a CA on a Windows 2000 Server and I'm having a problem logging
    > > on the domain with smart cards. When I try to log on to the server
    > with
    > > Administrator account or any other account I get a Logon Message
    > saying
    > > "Network request not supported".
    > >
    > > I enabled account access auditing and kerberos auditing through
    > registry
    > > settings, so I could be able to tell where the problem was occuring.
    > > The more relevant event it showed was Kerberos error core
    > > 0x10 KDC_ERR_PADATA_TYPE_NOSUPP in the System log.
    > >
    > > Can you guys help me out, I'm stuck on this one; I thought that after
    > > installing and correctly configuring the CA, issuing certificates and
    > mapping
    > > these certificates to the respective domain users I should've been ok.
    > > Seems I'm not.
    >
    >
    > Francesco,
    >
    > I'm not familiar with Kerberos error codes, but I would think that your
    > problem
    > is that you have not issued Domain Controller Certificates to your DCs.
    >
    > A requirement for smartcard logon is that the DC you use for
    > authentication
    > must have a DC certificate (all DCs should have certificate, to be sure
    > that
    > you always authenticate with a DC with a certificate).
    >
    > When both EE and DC have valid certificates, you have to be sure that
    > CRLs for all certificates in the chain are available. This is needed
    > because
    > smartcard logon requires full certificate path validation.
    >
    > To check the certificate on the smartcard, without performing a logon,
    > you
    > can use this command:
    >
    > dsstore -checksc
    >
    > You can also verify domain controller certificates with this command:
    >
    > dsstore -dcmon
    >
    > This document should be a good reference if you still have problems:
    >
    >
    http://www.microsoft.com/windows2000/techinfo/administration/security/smrtcrdtr.asp
    >
    >
    > Regards,
    > Lars Olaussen
    > Isolauss@hotmail.com
    >
    >
    >
    

  • Next message: Tim Springston [MSFT]: "Re: Anonymous logins"